Skip to content

Defect and Risk Assessment

LMU/COICP Example

Defect and Risk Assessment Example

Assess LMU/COICP open defects, release impact, accepted internal-review risks, pilot blockers, deferred work, owners, and controls for RC-001.

ES-110 Defects LMU Release Risk

Example purpose

This artifact evaluates ES-109 defects and release risks for LMU-COICP-RC-001.

It determines which defects block operational pilot, which risks can be accepted only under LMU internal-review conditions, and which capabilities remain deferred.

Project

LMU Campus Operations and Incident Coordination Platform

Document control

Field Value
Artifact owner COICP Product Engineer
Primary reviewers Architecture Review Board chair, IT security reviewer, AI reviewer, Compliance reviewer, Campus Safety liaison
Status Accepted with operational-pilot blockers
Last updated 2026-07-06
Related Engineering Stage ES-110 — Release Readiness
Project workspace target docs/project-workspace/release/defect_and_risk_assessment.md

Candidate context

Field Value
Candidate LMU-COICP-RC-001
Planned deployment ID DEP-LMU-COICP-2026-03-18-001
Planned review environment LMU-COICP Internal Engineering Review Environment
Planned dataset Spring Semester Synthetic Incident Dataset
Planned synthetic records 421
Planned reviewer accounts 24
Planned review window March 18–22, 2026
AI Incident Summary Disabled
Operational pilot Not approved

Open defects

Defect ID Summary Severity LMU Release Impact Decision Owner
DEF-001 Invalid status transition not consistently rejected. Medium Could allow inconsistent COICP incident state. Must fix before operational workflow pilot; acceptable for synthetic internal review only. Product Engineer
DEF-002 Full access-control matrix not tested. Medium Could miss unauthorized role behavior across LMU groups. Must test before any real-user pilot. IT Security Reviewer
DEF-003 Evidence write failure behavior not verified. High Could allow state/evidence mismatch and undermine auditability. Blocks operational pilot until verified. Architecture Review Board chair
DEF-004 Emergency-boundary test not fully formalized. Medium Could allow emergency-related incident to be handled as normal COICP workflow. Must formalize before pilot. Product Engineer / Campus Safety liaison
DEF-005 Build/test command evidence not finalized. Medium Weakens repeatable verification evidence. Must finalize before release-quality baseline. Product Engineer

Release risks

Risk Source Impact Mitigation / Condition Accepted By
Evidence failure path unverified DEF-003 Weak auditability under failure Do not conduct operational pilot until verified. Product Owner / Architecture Review Board
Access-control testing incomplete DEF-002 Unauthorized access risk Limit to 24 approved review accounts; complete matrix before pilot. IT Security Reviewer
Status validation defect DEF-001 Workflow inconsistency Fix before pilot; acceptable for synthetic review only. Product Owner
Emergency boundary not fully tested DEF-004 Safety/scope boundary risk Include Campus Safety synthetic scenario before deployment and formalize before pilot. Product Owner / Campus Safety liaison
Retention unresolved Testing summary Compliance uncertainty Use Spring Semester Synthetic Incident Dataset only. Compliance Reviewer
Build/test evidence incomplete DEF-005 Weak repeatability Formalize command evidence before release-quality baseline. Product Engineer
AI Incident Summary deferred AI release review AI readiness incomplete Keep disabled. AI Reviewer

Must-fix before operational pilot

  • DEF-003 — evidence write failure behavior not verified.
  • DEF-002 — full access-control matrix not tested.
  • DEF-001 — invalid status transition defect.
  • DEF-004 — emergency-boundary test not fully formalized.
  • DEF-005 — build/test command evidence incomplete.
  • Retention and cleanup expectations for production-like data.
  • AI readiness if AI Incident Summary is requested.

Accepted risks for LMU internal engineering review only

Risk Accepted Condition
Retention unresolved Spring Semester Synthetic Incident Dataset only.
Access-control matrix incomplete 24 approved internal reviewer accounts only; no real users.
Status validation defect Synthetic review only; no operational workflow use.
Evidence failure path unverified No operational pilot, no real incident records.
Emergency-boundary testing incomplete Campus Safety synthetic scenario only; no emergency workflow.
AI workflow deferred AI Incident Summary disabled and out of scope.

Deferred items

  • AI Incident Summary workflow.
  • Post-incident review export.
  • Full production retention enforcement.
  • Full access-control matrix validation.
  • Operational support model for real users.
  • Broad stakeholder deployment.
  • Real incident workflow pilot.

Assessment decision

Open defects block operational pilot release.
LMU internal engineering review may proceed under strict conditions.

Continue to Guardrail Release Review

Review release status for evidence, access, AI, scope, retention, and direct-update guardrails.

Open Guardrail Release Review →